| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
when using custom nft tables + iptables-nft, iptables-nft -L
may fail with
iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.
even if filter table is compatible.
Problem is that the chain cache tracks ALL chains.
The "old" compat-check only walked chains in the table to checked
(filter in this case), now we will see all other
chains including base chains of another table.
It seems better to extend the chain cache long-term to track chains
per table instead, but for now skip the foreign ones.
Reported-by: Eric Garver <e@erig.me>
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Allow to show '-p tcp' in case rule was added by nft (which prefers
use of meta l4proto).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code for ebtables-restore was derived from legacy code,
ebtables-save is actually a new implementation using the existing
infrastructure and trying to adhere to legacy perl script output
formatting as much as possible.
This introduces a new format flag (FMT_EBT_SAVE) to allow
nft_bridge_save_rule() to distinguish between ruleset listing (i.e.,
ebtables -L) and saving via ebtables-save - the two differ in how
counters are being formatted. Odd, but that's how it is.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
This wraps nft_init(), adding required things needed for ebtables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Since the function doesn't alter the passed buffer, make it const.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Preparing ebtables-save implementation, allow for callers to pass format
bits to nft_rule_save() instead of just the 'counters' boolean.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
In preparation for ebtables-save implementation, introduce a callback
for convenient per-family formatting of chains in save output.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
The name is quite misleading, since these functions/callbacks are not
about the whole ruleset but just a single rule. So rename them to
reflect this.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Just replace them by the shared save_counters() function after adjusting
it's signature to meet callback requirements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Both functions just pass their parameters 1:1 to nft_ipv46_rule_find, so
replace them by the latter after minor adjustment to match expected
callback signature.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Both functions are identical, replace them by a common one in
nft-shared.c.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Both functions are identical, just passing all their parameters 1:1 to
print_header() shared function. So just replace them by the latter.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Since it is not directly called from outside of nft-arp.c anymore, make
it private and reduce the overlong name it had.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This relieves callers from having to prepare iptables_command_state,
which often happens just for the sake of passing it to this function.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This introduces callbacks in nft_family_ops for parsing an nftnl rule
into iptables_command_state and clearing it afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Replace union 'state' by its sole member.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
Differences between both structs are marginal (apart from
arptables_command_state being much smaller), so merge them into one.
Struct iptables_command_state is already shared between iptables,
ip6tables and ebtables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
This cleans up a few obvious cases identified by grepping the source
code for 'memset'.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
Without this, trying to add a rule using ebtables without proper
permissions crashes the program.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Since the names without suffix clash with legacy tools, support the
suffixed versions as well to help distributions packaging for parallel
installation of both nft and legacy variants.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Pablo reports that tests that should return nozero now fail.
Reason is that $? is checking return value of "echo" and not the script.
Fixes: 17c66a50608 ("iptables: tests: shell: Add README")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Add test for testing if iptables configuration is restored and saved.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
1) README is added to run test suite.
2) Rename two test-case scripts to follow proper numerical order.
3) "echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line" command
should only used when verbose("-v") option is not there else instead of
clearing "[EXECUTING]" prompt it is clearing last prompt of the test file.
Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
... for consistency with other commands.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
xtables-legacy currently cannot be invoked as ip6tables-legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also, in nf_tables backend case, only show more than one error
if we're iptables-restore, else we get very long concatenated errorline.
old:
iptables v1.6.2: can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2: iptables: CHAIN_ADD failed (Device or resource busy): chain PREROUTINGCHAIN_ADD failed (Device or resource busy): chain INPUTCHAIN_ADD failed (Device or resource busy): chain POSTROUTINGCHAIN_ADD failed (Device or resource busy): chain OUTPUT
iptables-restore v1.6.2: iptables-restore:
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING
now:
iptables v1.6.2 (legacy): can't initialize iptables table `security': Table does not exist (do you need to insmod?)
iptables v1.6.2 (nf_tables): CHAIN_ADD failed (Device or resource busy): chain PREROUTING
iptables-restore v1.6.2 (nf_tables):
line 1: CHAIN_ADD failed (Device or resource busy): chain PREROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain INPUT
line 1: CHAIN_ADD failed (Device or resource busy): chain POSTROUTING
line 1: CHAIN_ADD failed (Device or resource busy): chain OUTPUT
line 6: RULE_INSERT failed (No such file or directory): rule in chain PREROUTING
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Unfortunately no nft translation available so far.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Mimic firewalld startup, i.e. "iptables-restore -n" use.
First script is normal startup,
second script restores ruleset, then re-runs first one (i.e., with
existing rules rather than non-existent tables).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Need to prepend XT_MULTI, not XTABLES_MULTI.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
In both cases the argument is optional, in both cases
the argument wasn't evaluated.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
no plans to support daemon mode, so remove this.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
| |
Commands, options, filenames, and possibly references to other
manpages, should always use the minus. (Important for copy-n-paste
and e.g. following manpage links.) Everything else can do with the
dash.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The ipv4 version has bogus counters so this can also check
save/restore -c option.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.
The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.
This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.
Current expected output:
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK] ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK] ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK] ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK] ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While at it, make following changes/fixes:
1. run each test in a fresh net namespace
2. remove rmmod use, its very distuptive and not needed after 1.
3. avoid -e use if possible
4. make sure we exit 0 when test is expected to fail
5. set XT_LIBDIR so we point at the correct extensions to be used
Also delete 0003duplicate_1, its same test as 0001duplicate_1.
NB: I don't think its good to have this 'encode retval in name' scheme.
These are scripts, so they should always return 0, i.e. do
iptables --this-command-should-fail || exit 0
echo "succeess, should fail"
exit 1
Much simpler, imo. This was inherited from nft shell tests
though and changing it there is rather intrusive so use same scheme for
now.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*filter
:INPUT DROP [32:4052]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT
COMMIT
will be restored with ACCEPT policies. When
-A OUTPUT is processed, the OUTPUT chain isn't found in the chain cache,
so the table is re-created with ACCEPT policies, which overrides the
earlier DROP policies.
A better fix would be to add the policy setting to the chain cache
but it seems we'll need a chain abstraction with refcounting first.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
set -e causes 2nd command (which is expected to fail)
to terminate the script as well.
So, don't set -e and let the error check invert the return
value to 0.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a partial revert of commit 7462e4aa757dc28e74b4a731b3ee13079b04ef23
("iptables-compat: Keep xtables-config and xtables-events out from tree")
and re-adds xtables-events under a new name, with a few enhancements,
this is --trace mode, which replaces printk-based tracing, and an
imroved event mode which will now also display pid/name and new generation id
at the end of a batch.
Example output of xtables-monitor --event --trace
PACKET: 10 fa6b77e1 IN=wlan0 MACSRC=51:14:31:51:XX:XX MACDST=1c:b6:b0:ac:XX:XX MACPROTO=86dd SRC=2a00:3a0:2::1 DST=2b00:bf0:c001::1 LEN=1440 TC=18 HOPLIMIT=61 FLOWLBL=1921 SPORT=22 DPORT=13024 ACK PSH
TRACE: 10 fa6b77e1 raw:PREROUTING:return:
TRACE: 10 fa6b77e1 raw:PREROUTING:policy:DROP
EVENT: -6 -t mangle -A PREROUTING -j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64
NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
nft meta expr enables the nfnetlink based trace infrastruvture, so
prefer to use that rather than xt_TRACE.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Provide a hint that iptables isn't showing all rules because
its using nfnetlink rather than old set/getsockopt.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-V now yields:
arptables vlibxtables.so.12 (nf_tables)
ebtables 1.6.2 (nf_tables)
ip6tables v1.6.2 (legacy)
ip6tables v1.6.2 (nf_tables)
ip6tables-restore v1.6.2 (nf_tables)
ip6tables-save v1.6.2 (nf_tables)
ip6tables-restore v1.6.2 (legacy)
ip6tables-restore-translate v1.6.2
ip6tables-save v1.6.2 (legacy)
ip6tables-translate v1.6.2 (nf_tables)
iptables v1.6.2 (legacy)
iptables v1.6.2 (nf_tables)
iptables-restore v1.6.2 (nf_tables)
iptables-save v1.6.2 (nf_tables)
iptables-restore v1.6.2 (legacy)
iptables-restore-translate v1.6.2
iptables-save v1.6.2 (legacy)
iptables-translate v1.6.2 (nf_tables)
This allows to see wheter "iptables" is using
old set/getsockopt or new nf_tables infrastructure.
Suggested-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Refresh this to match reality again.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
inlined from ‘do_commandarp’ at xtables-arp.c:1198:16:
xtables-arp.c:844:2: warning: ‘strncpy’ specified bound 29 equals destination size [-Wstringop-truncation]
strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
xtables-eb-translate.c: In function ‘do_commandeb_xlate’:
xtables-eb-translate.c:285:6: warning: unused variable ‘chcounter’ [-Wunused-variable]
int chcounter = 0; /* Needed for -C */
^~~~~~~~~
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
previous patch shows this problem:
xtables-eb.c: In function ‘parse_change_counters_rule’:
xtables-eb.c:534:65: warning: logical ‘and’ of mutually exclusive tests is always false [-Wlogical-op]
(argv[optind + 1][0] == '-' && (argv[optind + 1][1] < '0' && argv[optind + 1][1] > '9')))
... so this never worked. Just remove it, the arg will be fed to
strtol() -- No need to do this check.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1149
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
Not used in the translator, so zap it.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
